Firewall and SmartDefenseVersion NGX R62

702048 September 25, 2006

2003-2006 Check Point Software Technologies Ltd.

All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.

RESTRICTED RIGHTS LEGEND:

Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19.

TRADEMARKS:

2003-2006 Check Point Software Technologies Ltd. All rights reserved.

Check Point, Application Intelligence, Check Point Express, the Check Point logo, AlertAdvisor, ClusterXL, ConnectControl, Connectra, Cooperative Enforcement, Cooperative Security Alliance, CoSa, DefenseNet, Eventia, Eventia Analyzer, Eventia Reporter, FireWall-1, FireWall-1 GX, FireWall-1 SecureServer, FloodGate-1, Hacker ID, IMsecure, INSPECT, INSPECT XL, Integrity, InterSpect, IQ Engine, NGX, Open Security Extension, OPSEC, OSFirewall, Policy Lifecycle Management, Provider-1, Safe@Office, SecureClient, SecureKnowledge, SecuRemote, SecurePlatform, SecureServer, SecureUpdate, SecureXL, SecureXL Turbocard, SiteManager-1, SmartCenter, SmartCenter Power, SmartCenter Pro, SmartCenter UTM, SmartDashboard, SmartDefense, SmartDefense Advisor, Smarter Security, SmartLSM, SmartMap, SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker, SofaWare, SSL Network Extender, Stateful Clustering, TrueVector, Turbocard, UAM, UserAuthority, User-to-Address Mapping, VPN-1, VPN-1 Accelerator Card, VPN-1 UTM Edge, VPN-1 Power, VPN-1 Power VSX, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1 UTM, VPN-1 UTM Edge, VPN-1 VSX, Web Intelligence, ZoneAlarm, ZoneAlarm Anti-Spyware, ZoneAlarm Antivirus, ZoneAlarm Internet Security Suite, ZoneAlarm Pro, Zone Labs, and the Zone Labs logo are trademarks or registered trademarks of Check Point Software Technologies Ltd. or its affiliates. All other product names mentioned herein are trademarks or registered trademarks of their respective owners. The products described in this document are protected by U.S. Patent No. 5,606,668, 5,835,726, 6,496,935, 6,873,988, and 6,850,943 and may be protected by other U.S. Patents, foreign patents, or pending applications.

For third party notices, see: THIRD PARTY TRADEMARKS AND COPYRIGHTS.

Table of Contents 5

Contents

Preface Who Should Use This Guide.............................................................................. 16Summary of Contents ....................................................................................... 17

Section 1: Network Access .......................................................................... 17Section 2: Connectivity ............................................................................... 18Section 3: SmartDefense ............................................................................. 18Section 4: Application Intelligence ............................................................... 19Section 5: Web Security .............................................................................. 20Appendices ................................................................................................ 20

Related Documentation .................................................................................... 21More Information ............................................................................................. 24

Network Access

Chapter 1 Access Control The Need for Access Control ............................................................................. 28Solution for Secure Access Control .................................................................... 29

Access Control at the Network Boundary ....................................................... 29The Security Rule Base ............................................................................... 30Example Access Control Rule ....................................................................... 31Rule Base Elements .................................................................................... 31Implied Rules............................................................................................. 32Preventing IP Spoofing ................................................................................ 33Multicast Access Control ............................................................................. 35

Considerations for Access Control ...................................................................... 39Spoof Protection ......................................................................................... 39Simplicity .................................................................................................. 39Basic Rules ................................................................................................ 40Rule Order ................................................................................................. 40Topology Considerations: DMZ ..................................................................... 40The X11 Service ......................................................................................... 41When to Edit Implied Rules ......................................................................... 41

Configuring Access Control ............................................................................... 42Defining Access Control Rules...................................................................... 42Defining a Basic Policy................................................................................ 42Configuring Anti-Spoofing............................................................................ 43Configuring Multicast Access Control ............................................................ 44

6

Chapter 2 Authentication The Need for Authentication ............................................................................. 48VPN-1 Power Solution for Authentication ........................................................... 49

Introduction to VPN-1 Power Authentication.................................................. 49Choosing an Authentication Method.............................................................. 50Authentication Schemes.............................................................................. 50Authentication Methods............................................................................... 53

Configuring Authentication ............................................................................... 63Creating Users and Groups........................................................................... 63Configuring User Authentication................................................................... 65Configuring Session Authentication .............................................................. 66Configuring Client Authentication ................................................................. 70Configuring Authentication Tracking ............................................................. 75Configuring a VPN-1 Power Gateway to use RADIUS ...................................... 76Granting User Access Based on RADIUS Server Groups .................................. 77Associating a RADIUS Server with a VPN-1 Power Gateway............................. 79Configuring a VPN-1 Power Gateway to use SecurID....................................... 79Configuring a VPN-1 Power Gateway to use TACACS+ .................................... 80Groups of Windows users ............................................................................. 81

Connectivity

Chapter 3 Network Address Translation (NAT) The Need to Conceal IP Addresses .................................................................... 86Check Point Solution for Network Address Translation ......................................... 87

Public and Private IP addresses ................................................................... 87NAT in VPN-1 Power ................................................................................... 88Static NAT ................................................................................................. 89Hide NAT................................................................................................... 90Automatic and Manual NAT Rules ................................................................ 91Automatic Hide NAT for Internal Networks .................................................... 92Address Translation Rule Base ..................................................................... 93Bidirectional NAT ....................................................................................... 94Understanding Automatically Generated Rules............................................... 95Port Translation .......................................................................................... 97NAT and Anti-Spoofing................................................................................ 97Routing Issues............................................................................................ 97Disabling NAT in a VPN Tunnel.................................................................... 99

Planning Conside